Hackers Abuse ScreenConnect to Hijack PCs via Fake Social Security Emails

Phishing campaigns that masquerade as government communications have surged, and the latest wave leverages a fake Social Security Administration email to distribute a malicious .cmd payload. Unlike traditional ransomware that relies on novel code, this attack exploits human trust and familiar branding, increasing click‑through rates across the UK, US, Canada, and Northern Ireland. The initial email contains subtle red flags—misspelled domains and titles—but many users overlook them, providing a foothold for the script to execute.

Once executed, the script performs a series of stealthy maneuvers: it uses PowerShell auto‑elevation to gain admin rights, disables Windows SmartScreen, strips the Mark‑of‑Web tag, and writes malicious components into Alternate Data Streams. These techniques effectively blind built‑in Windows defenses, allowing a silent installation of ConnectWise ScreenConnect version 25.2.4.9229. By repurposing a legitimate remote‑support tool with a revoked certificate, the attackers create a credible backdoor that calls home to an Iranian server on port 8041, blending into normal network traffic and evading many security solutions.

The broader implication for enterprises is clear: reliance on trusted utilities does not guarantee safety. High‑value sectors such as government, healthcare, and logistics must adopt a layered security approach—combining robust email filtering, strict application whitelisting, and continuous endpoint monitoring. User education remains vital; treating any unexpected government attachment as suspicious can stop the chain before escalation. As threat actors continue to weaponize everyday software, organizations that proactively harden defenses and enforce zero‑trust principles will be better positioned to mitigate these sophisticated intrusion attempts.